Tito Cordero Jr. Information System Security Manager March 19, 2012 SIPRNet : Processes & Responsibility Copyright © 2010 Raytheon Company. All rights reserved. Customer Success Is Our Mission is a registered trademark of Raytheon Company. UNCLASSIFIED UNCLASSIFIED
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Tito Cordero Jr.
Information System Security Manager
March 19, 2012
SIPRNet : Processes & Responsibility
Copyright © 2010 Raytheon Company. All rights reserved.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
UNCLASSIFIED
UNCLASSIFIED
What is SIPRNet ?
SIPRNet stands for the Secret Internet Protocol Router Network. It is the Department of Defense’s largest network for the exchange of classified information and messages at the SECRET level. It supports the Global Command and Control System, the Defense Message System, and numerous other classified war fighting and planning applications.
SIPRNet is no different from the Internet other than the domain name which is ‘.smil.mil’ or ‘.sgov.gov’.
SIPRNet uses the Transmission Control Packet – Internet Protocol (TCP-IP) in a secure environment using COMSEC equipment such as a KIV-7M, or KIV-7HSB.
UNCLASSIFIED
UNCLASSIFIED
Page 3
Organizations and Responsibilities
Defense Information Systems Agency (DISA)
Office of the Assistant Secretary of Defense For Networks
and Information Integration (OASD) (NII))
DISA SIPRNet Management Office
Government Sponsor
Defense Security Service (DSS)
DISA Certification and Accreditation Office/Classified
Connection Approval Office (CAO)
Responsible for Defense Information Systems Networks
(DISN) circuits and oversight.
- Final approval authority for all connection requests in
support of sponsor’s mission
- Review SIPRNet requests and initial topologies to
determine whether the proposed DISN solution is
appropriate.
Forwards the approved solution to OASD NII for approval.
Sponsor/owner of contractor connection
Provide funding for circuit and any other required services
for contractor connection to SIPRNet (i.e. Computer
Network Defense Service Provider (CNDSP), email, Domain
Name Service (DNS)).
DAA for accrediting information systems used to process
classified information in industry
Process System Security Plans (SSP)
- Process Connection Approval Packages (CAP) – issues
IATT, IATC and ATC.
9/6/2015
UNCLASSIFIED
UNCLASSIFIED
Page 4 9/6/2015
Circuit Ordering
Government Contracting Authority (GCA)
Requirements include a valid DD 254 that contains a mission support requirement.
GCA Sponsorship
Sponsorship letter must contain the following:
Contract number, cage code, POC, network diagram, ports, websites and
protocol.
This will be submitted to [email protected]
SIPRNet connection
DISA Direct ordering site https://www.disadirect.disa.mil/products/asp/welcome.asp that is
referred to as DISA Direct Order Entry(DDOE) is where you will order your circuit. You
must contract the DISN Global Support Center at 1-800-554-3476.
SIPRNet addresses Contact your Sponsor for IP addresses and web links contact DOD Network Information Center (NIC) at 1-
800-582-2567
UNCLASSIFIED
UNCLASSIFIED
Page 5 9/6/2015
Required Devices
Type 1 encryption KIV-7HSB
SIPRNet circuit will require a Type 1 encryption device and the user must have the DTD which can be programmed to handle
(store, securely transport, and transfer) COMSEC and TRANSEC keys, Communications- Electronics Operating
Instructions (CEOI), frequency hopping parameters, and net control operating directions for the evolving family of COMSEC equipment crucial to new communications systems.
UNCLASSIFIED
UNCLASSIFIED
AN/PYQ-10 Crypto Fill Device.
Page 6
Required Devices
9/6/2015
Firewall equipment required as part of the
SIPRNet .
1 Evaluated Assurance Level (EAL) 4 firewall
1 Intrusion Detection System (IDS)
UNCLASSIFIED
UNCLASSIFIED
Page 7
CNDSP
DoD 8530 Directive and Instruction provides guidance to
– evaluate Computer Network Defense Service Providers (CNDSP)
– certify and accredit teams
Secondary goal: ensure a higher quality of protection through increased maturity and
understanding of the services provided by the CNDSP.
Contractors must have a CNDSP assignment before they will be allowed connections to the
DISN network.
CNDSP concerns: – Cost
– Army Research Labs (ARL) is the only one accepting new CNDSP services
– Waiting time for sensors as they have to request them from the vendor
Recommendation: ‒ obtain CNDSP service with acquisition of circuit prior to ATO/ATC
9/6/2015
UNCLASSIFIED
UNCLASSIFIED
Page 8
CTO 10-133
A. THE LOCAL ISSM WILL:
(1) DIRECT ALL PERSONNEL TO CEASE DATA TRANSFERS TO REMOVABLE MEDIA ON THE SIPRNet .
(2) DISABLE "WRITE" PRIVILEGES, EITHER THROUGH PHYSICAL CONFIGURATION, SOFTWARE SETTINGS,
HOST BASED SECURITY SYSTEM (HBSS) DEVICE CONTROL MODULE SETTINGS, OR ANY COMBINATION
THEREOF.
(3) SET LOCAL GUIDELINES AND PROCEDURES FOR APPROVAL-DISAPPROVAL OF "WRITE" CAPABILITY TO
REMOVEABLE MEDIA ON THE SIPRNet .
(4) MAINTAIN A LIST OF ALL SYSTEMS THAT HAVE BEEN AUTHORIZED TO "WRITE" TO REMOVABLE MEDIA
DEVICES.
B. SECURITY MANAGERS SHALL:
(1) PROVIDE AUTHORIZED USER APPROVALS TO THE ISSP AND ISSM. PROVIDE FINAL APPROVALS FOR ANY
"WRITE" TO REMOVEABLE MEDIA CAPABILITY WHICH THE COMMAND REQUIRES.
(2) DOCUMENT PERSONNEL APPROVED TO USE "WRITE" CAPABILITIES AT THE LOCAL LEVEL AND RETAIN ON
FILE FOR A MINIMUM OF FIVE YEARS.
(3) ENSURE COMPLIANCE WITH REFERENCE A, PARA. 7.B(2) UPON COMPLETION OF WRITE ACTIVITY.
9/6/2015
UNCLASSIFIED
UNCLASSIFIED
Page 9
Approval Package
After receiving circuit approval/validation and circuit order contractor should be developing all required
security documentation and begin system configuration/hardening.
Required documentation for Connection Approval Package (CAP) package submittal to DISA Classified
Connection Approval Office (CAO) [email protected] :
– DSS ISFO Process Manual for contractor Certification and Accreditation
• Systems Security Plan (SSP), Protection Profile (PP) other documentation as required
• Obtain DSS Accreditation Letter
– SIPRNet Connection Questionnaire (SCQ) with DSS RDAA signature (example)
– Consent to Monitor signed by sponsor
– Residual Risk Memorandum signed by contractor
– MOA between US ARL and the MACOM or Sponsor
– Topology diagram (example)
• IP addresses are required (FOUO, unless specified by sponsor with supporting security classification
guide)
9/6/2015
UNCLASSIFIED
UNCLASSIFIED
Page 10
Connection Approval Process
• The DISA CAO manages the Connection Approval Process and security requirements for the SIPRNet .
• DISA CAO verifies CAP is complete with all required documentation.
• Once circuit is installed at Contractor facility (DMARC) and security package approved by DISA CAO, DISA will issue an Interim Approval To Test (IATT).
– Note: Prior to DISA scheduling technician to install/configure CSU/DSU, KIV-7 etc. the following items are required:
• 1) DSS ATO
• 2) CAP approved by DISA CAO
– Burn-in & implementation by GNSC
• After burn-in and implementation by the GNSC the CAO will initiate a remote compliance vulnerability scan. Once a successful scan has been completed, the CAO will issue an IATC/ATC.
• Contractor on SIPRNet
9/6/2015
UNCLASSIFIED
UNCLASSIFIED
Page 11
SIPRNet Process Flowchart
Contract requires SIPRNet Connection
DD-254
START
DoD Sponsor submits access request to JS/J6
JS/J6 validates
OSD/CIO approves
DISA accepts OSD/CIO letter and assigns control No.
and CCSD No.
DISA informs DSS about new SIPRNet
connection
SIPRNet validation letter to JS/J6
MOA Letter for CNDSP Service
SIPRNet Approval Letter from OSD/CIO
Front Channel Message from DISA to DISA Field
Service to initiate the connection
DSS Letter to contractor FSO
Contractor prepares System
Security Plan
SIPRNet Maintenance
Process END
ATO SCQ Statement of
Residual Risks Consent to Monitoring
ATC Letter from DISA CCAO
DISA CCAO accepts all documents and
issues an ATC
9/6/2015
UNCLASSIFIED
UNCLASSIFIED
Page 12
HBSS
Host Based Security System (HBSS): The Host Based Security System
(HBSS) baseline is a flexible, commercial-off-the-shelf (COTS)-based
application. It monitors, detects, and counters against known cyber-
threats to Department of Defense (DoD) Enterprise. Under the
sponsorship of the Enterprise-wide Information Assurance and computer
Network Defense Solutions Steering Group (ESSG), the HBSS solution
will be attached to each host (server, desktop, and laptop) in DoD. The
system will be managed by local administrators and configured to
address known exploit traffic using an Intrusion Prevention System (IPS)
and host firewall. DISA PEO-MA is providing the program management
and supporting the deployment of this solution.
9/6/2015
UNCLASSIFIED
UNCLASSIFIED
Page 13
HBSS
HBSS with Device Control Manager (DCM): – Active circuit with proper ATO and ATC
– Circuit must be approved by DSS which will verify if you meet the CTO 10-133 Guidelines
Obtaining HBSS software: – You can have your customer to provide the software
– Contact DISA HBSS web site http://www.disa.mil/hbss/
Configuration: – Verify that your DCM module is installed correctly to prevent data transfers
– DSS must approve any data transfer if an Risk Acceptance Letter (RAL) is on file with the Master System Security Plan
(MSSP)
9/6/2015 UNCLASSIFIED
UNCLASSIFIED
Page 14
CCRI
United States Cyber Command (USCYBERCOM) directs CAM 09-031A, 09-039.
Defense Information Systems Agency executes the Command Cyber Readiness
Inspection (CCRI) program. – A Field Security Operations (FSO) team will coordinate with the Information Assurance Manger visit
and validations of the SIPRNet connectivity.
– 120 day notice prior to CCRI
– An Email from a CCRI will request information for the coming inspections.
– Evaluation Criteria:
DOD IA Enterprise Solution STIG
HBSS checklist
Windows STIG
Windows 2003 Checklist
Windows 2000 Checklist
– Tools Utilized:
DOD Vulnerability Management System
GOLD DISK [DISA]
Manual Processes as defined in checklists
9/6/2015
UNCLASSIFIED
UNCLASSIFIED
Page 15 9/6/2015
CCRI Form
UNCLASSIFIED
UNCLASSIFIED
Page 16 9/6/2015
Vulnerability Management System
UNCLASSIFIED
UNCLASSIFIED
Vulnerability Management System
All systems in the Department of Defense (DoD) must be built in accordance with DoD requirements such as those outlined in the
Security Technical Information Guides (STIGs) and consensus baseline standards. Tools such as the DoD Gold Disk and Defense
Information Systems Agency (DISA) Field Security Operations (FSO) scripts can be used to build a compliant system.
Once a system is built, it must be maintained to ensure compliance with any new requirements such as Information Assurance
Vulnerability Management (IAVM) notices, new STIG checks, Port and Protocol guidance, or Directives (e.g., Communications Tasking
Orders (CTOs), Operational Orders (OPORDs)).
In November 2004, the Department of Defense released for use eEye’s Retina/REM product suite as the DoD enterprise scanning
solution for validating compliance with the Information Assurance Vulnerability Management (IAVM) process. This suite is known as the
Secure Configuration Compliance Validation Initiative (SCCVI). The SCCVI can determine whether the system is in compliance with
IAVM notices and some STIG requirements. If the system is not in compliance, the Secure Configuration Remediation Initiative (SCRI)
can be used to remediate the vulnerability or exposure. Maintaining compliance with any new requirements helps to ensure the security
of the system.
The Vulnerability Management System (VMS) was developed to interface with the DoD Enterprise tools to assist all DoD
Combatant Commands, Services, Agencies, and Field Activities (CC/S/A/FAs) in the identification of security vulnerabilities
and tracking the issues through the lifecycle of the vulnerabilities existence.
This user’s guide provides common information for all users. It has been designed to familiarize you with VMS concepts and common
functions, and general navigation information.
Page 17
VMW Process
9/6/2015
UNCLASSIFIED
UNCLASSIFIED
Page 18
Overview of VMS Users and Roles
9/6/2015
Many people use VMS to accomplish various tasks. These include:
Vulnerability Entry Users
Combatant Commands/Services/Agencies/Field Activities Points of Contact
(CC/S/A/FA POCs)
Designated Approving Authorities (DAA)
Certification Authorities
Information Assurance Managers (IAM)
Information Assurance Officers (IAO)
Accredited System/Program Managers (PM)
System Administrators (SA)
Network Administrators (NA)
Security Managers (SM)
Team Leads and Reviewers
Command Oversight
UNCLASSIFIED
UNCLASSIFIED
Page 19
Overview of the Primary Data Tracked by VMS
9/6/2015
In response to increased military reliance on a security computing infrastructure, VMS
continues to evolve as a near real-time security decision support system. At the core of the
VMS model is:
Assets – Any computing device, building, network, vault, etc. that requires
compliance to emerging vulnerabilities, configuration settings, and policies.
Vulnerabilities – Within VMS, the term vulnerability includes IAVM notices,
configuration settings, and policy guidance. Vulnerabilities are tailored to the
specific configuration of the asset as defined within the VMS. As vulnerabilities are
added to and removed from specific configurations, they are added and removed
from the appropriate asset.
Statuses – Each asset and vulnerability has a status that is determined by a
script, scan, or manual determination. The status history, user type, and tool used to
determine the status is also maintained. Self-assessment, outside review, or internal
security managers can contribute to the status and validation history for all
vulnerabilities.
UNCLASSIFIED
UNCLASSIFIED
Related Documents
